CVE-2024-42056

Name of the Vulnerable Software and Affected Versions Retool (self-hosted enterprise) versions 3.18.1 through 3.40.0

Description The issue allows an authenticated attacker to discover credentials for users with "Use" permissions via the "/api/resources" endpoint. This is due to the insertion of resource authentication credentials into sent data.

Recommendations For versions 3.18.1 through 3.40.0, consider restricting access to the "/api/resources" endpoint until a patch is available. As a temporary workaround, limit the permissions of users to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.